How to remove the identity_source from AWS API gateway on initial deploy

Hi,

I need to remove the identity_source so my authorizer can process a variety of identity_sources from unchangable legacy applications. The authorizer is fully working in Production.

I can’t create the authorizer with no identity source as per Terraform documentation :

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer

identity_source - (Optional) The source of the identity in an incoming request. Defaults to method.request.header.Authorization .

So I remove the identity source after the fact as per below. The issue is that on a clean create of the stack I get this:

“An error occurred (BadRequestException) when calling the UpdateAuthorizer operation: Invalid request input”

Run the Terraform below and it works, but only on the 2nd time. I tried delaying the commands with both a Terraform sleep and also a bash sleep as well as a deploy command prior to the delete.

I think even though Terraform is claiming the create is done and I have the dependencies set, there still is a race condition.

Any way to make this clean on first deploy?

Thanks,

Marc

    # Add a custom authorizer
    resource "aws_api_gateway_authorizer" "authorizer" {
      name                             = "${local.name_prefix}-authorizer"
      rest_api_id                      = aws_api_gateway_rest_api.rtp.id
      authorizer_uri                   = aws_lambda_function.authorizerCustomer.invoke_arn
      authorizer_credentials           = aws_iam_role.rtp-gateway-role.arn
      type                             = "REQUEST"
      identity_source                  = "method.request.header.MYTOKEN"
      authorizer_result_ttl_in_seconds = 0
    }

    resource "null_resource" "update-authorizer" {
      depends_on = [aws_api_gateway_authorizer.authorizer]

      triggers = {
        always_run = timestamp()
      }

        provisioner "local-exec" {
           command = "aws apigateway update-authorizer --rest-api-id ${aws_api_gateway_rest_api.rtp.id} --authorizer-id ${aws_api_gateway_authorizer.authorizer.id} --patch-oper
    ations op='remove',path='/identitySource' --region ${var.region}"
        }
    }

    resource "null_resource" "create-deployment" {
      depends_on = [null_resource.update-authorizer]

      triggers = {
        always_run = timestamp()
      }

        provisioner "local-exec" {
           command = "aws apigateway create-deployment --rest-api-id ${aws_api_gateway_rest_api.rtp.id} --stage-name ${var.stack} --region ${var.region}"
        }
    }

It looks like I could modify the AWS provider if that is likely to be accepted as a feature improvement. The identity_source is optional both in the Terraform source as well as in the API GW CLI, when being used precisely in the way I am using it.

aws/resource_aws_api_gateway_authorizer.go: Default: “method.request.header.Authorization”,

Schema: map[string]*schema.Schema{
                    "authorizer_uri": {
                            Type:     schema.TypeString,
                            Optional: true, // authorizer_uri is required for authorizer TOKEN/REQUEST
                    },
                    "identity_source": {
                            Type:     schema.TypeString,
                            Optional: true,
                            Default:  "method.request.header.Authorization",
                    },
                    "name": {
                            Type:     schema.TypeString,
                            Required: true,
                    },
                    "rest_api_id": {
                            Type:     schema.TypeString,
                            Required: true,
                            ForceNew: true,
                    },

https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html

–identity-source (string)
The identity source for which authorization is requested.
For a TOKEN or COGNITO_USER_POOLS authorizer, this is required and specifies the request header mapping expression for the custom header holding the authorization token submitted by the client. For example, if the token header name is Auth , the header mapping expression is method.request.header.Auth .

For the REQUEST authorizer, this is required when authorization caching is enabled. The value is a comma-separated string of one or more mapping expressions of the specified request parameters. For example, if an Auth header, a Name query string parameter are defined as identity sources, this value is method.request.header.Auth, method.request.querystring.Name . These parameters will be used to derive the authorization caching key and to perform runtime validation of the REQUEST authorizer by verifying all of the identity-related request parameters are present, not null and non-empty. Only when this is true does the authorizer invoke the authorizer Lambda function, otherwise, it returns a 401 Unauthorized response without calling the Lambda function. The valid value is a string of comma-separated mapping expressions of the specified request parameters. When the authorization caching is not enabled, this property is optional.